Downloads

Layer 2 Tunneling Protocol version 3 (L2TPv3) allows service providers and large enterprises with native IP core networks to offer high-speed Layer 2 tunneling or VPN services to end-user customers, in conjunction with their Layer 3 VPN offerings. L2TPv3 VPN services can be provided without increasing the expenditure for capital equipment by simply upgrading Cisco IOS Software. L2TPv3 is provided as part of the Unified VPN portfolio of leading-edge VPN technologies available over the widest breadth of Cisco routers.

L2TPv3 is emerging as a core tunneling and VPN technology for next-generation networks. L2TPv3 provides the flexibility and scalability of IP with the privacy of Frame Relay and Asynchronous Transfer Mode (ATM). L2TPv3 will allow network services to be delivered over routed IP networks. Service decisions will be made at the VPN and tunnel endpoints and switched without requiring intermediate preprocessing, providing higher efficiency and scalability.

By reducing customer networking complexity and cost, L2TPv3 VPNs allow service providers to serve a more diverse base of small and medium-sized businesses. Rather than setting up and managing individual point-to-point circuits between each office, a business provides only one connection from its office router to a service-provider edge router. Service providers expand service offerings and generate additional revenue by offering customers VPNs with managed Internet, intranet, and extranet without the complexity that these applications previously required.

L2TPv3 technology allows a pair of routers connected via an IP network to provide high-speed transparent Layer 2 connectivity between a pair of interfaces. This functionality can be used to build Layer 2 VPNs or to support traditional (Frame Relay, ATM, leased-line) network migration. L2TPv3 tunnels are available with the IOS basic IP package.

This section discusses interface-based L2TPv3, wherein all traffic between two customer network sites is encapsulated in an IP packet and sent across an IP network. The internal routers of the IP network treat the traffic as any other IP packet and do not need to know anything about the customer networks. This process is known as Layer 2 tunneling (Figure 1).

Figure 1L2TPv3 Operation

In Figure 1, routers R1 and R2 provide L2TPv3 services. These routers communicate with each other using the IP protocol through a path comprising the interface Int2, the IP network, and interface Int3. In this example, routers R3 and R4 communicate through Packet-over-SONET (POS) interfaces using an L2TPv3 tunnel. The L2TPv3 tunnel Tu1 is configured between interface Int1 on R1 and interface Int4 on R2. Any packet arriving on interface Int1 on R1 is encapsulated in L2TPv3 and sent via the tunnel (Tu1) to R2. R2 decapsulates the packet and transmits it on interface Int4 to R4. When R4 needs to send a packet to R3, the packet follows the same path in reverse.

Note the following regarding L2TPv3 operation:

All packets received on interface Int1 will be forwarded to R4. R3 and R4 cannot see the intervening network.

In Cisco 12000 Series Internet routers, the other LAN ports on the card that are not being used for L2TPv3 must have a router connected to them. When Media-Access-Control (MAC) filtering assisted by Content-Addressable Memory is turned off to allow L2TPv3 to work, it is turned off on all ports.

This same method is used for Ethernet interfaces: Any packet received from LAN1 by R1 on Ethernet interface E1 will be encapsulated in L2TPv3 and sent via tunnel Tu2 to R2 interface E2, where it will be transmitted on LAN2.

This same method is used for Frame Relay subinterfaces: Any packet received from LAN1 by R1 on a subinterface will be encapsulated in L2TPv3 and sent via tunnel to R2 subinterface, where it will be transmitted on LAN2.

When data enters a L2TPv3 tunnel ingress interface, it is encapsulated with an additional L2TPv3 header (Figure 2). The L2TPv3 header consists of:

Payload independent header (12 bytes)

P delivery header (20 bytes)

The L2TPv3 header takes the format shown in Figure 2.

Figure 2Packet Encapsulation with L2TPv3

The L2TPv3 header parameters are:

Delivery headerThe header needed to carry the L2TPv3 packet across the delivery network. This is an IPv4 header. The delivery header is 20 bytes.

L2TPv3 headerContains the necessary information needed to uniquely identify the tunnel context at the de-encapsulation point. The payload independent header is 12 bytes.

PayloadTo be transported by L2TPv3. It may be a link layer frame or a network layer packet.

Tunnel identifierIdentifies the tunnel context on the decapsulating system. The value of the tunnel ID is selected to optimize the context identification efficiency of the decapsulating system. A decapsulation implementation may therefore elect to support a smaller tunnel-identifier bit field. In this implementation this was achieved by setting an upper value for the L2TPv3 tunnel identifier of 1023. The L2TPv3 tunnel identifier value 0 is reserved for use by the protocol.

Tunnel cookieAn 8-octet signature that is shared between the two endpoints of an L2TPv3 tunnel. This tunnel cookie reduces the chance that contamination of the decapsulated traffic will occur because of an error in configuration. This signature is configured at both the source and destination routers and must match, or the data will be dropped.

Raw mode is the ability to tunnel information that is arriving over a given physical interface without regard to the type of information being carried. In Raw mode, a physical interface is attached to both ends of an L2TPv3 tunnel. All packets and frames that arrive on this interface are passed through the tunnel. The physical interfaces associated with the tunnel endpoints must be of the same type. Cisco Systems currently supports serial, POS, and Ethernet interfaces in raw mode.

Raw mode can be used effectively to support virtual leased lines. Virtual leased lines are a common requirement from Enterprises wishing to connect remote sites together over a clear channel service.

Figure 3 illustrates the function of L2TPv3 in providing this service.

Figure 3Virtual Leased Line with L2TPv3 Logical Topology

In this case, two DS-3 serial interfaces are connected to the customer's network (Enterprise A). Int2 and Int3 form the ingress and egress points of the L2TPv3 tunnel. The service provider maintains IP connectivity between PE A and PE B using standard routing protocols. This forms the fabric for the Layer 2 VPN to be established. Any packets being sent over the DS-3 from the customer's edge router (CE A) will be automatically encapsulated with an L2TPv3 header and forwarded across the IP network to the egress interface on PE B and decapsulated. Then the entire original High-Level Data Link Control (HDLC) frame is forwarded out of the serial interface (Int3) and on to the customer router CE B, thus completing the Layer 2 circuit emulation.

Frame Relay support is designed to support the tunneling of individual virtual circuits (VCs) that are allocated on a single physical interface. In this scenario, the VC associated on a given interface can be tunneled to different destinations. In Figure 4, the ability to tunnel individual VCs is used to deploy a hub-and-spoke type network topology over an IP core.

Figure 4Packet Encapsulation with L2TPv3

The following advanced scenario outlines a service offering that a service provider may wish to support. The customer is an existing enterprise with a Frame Relay hub-and-spoke network. The service provider wishes to offer Internet access coupled with managed firewall and multimedia services. Figure 5 illustrates this service architecture.

The enterprise connects to the service provider with a traditional serial interface configuring Frame Relay encapsulations and a subinterface point-to-point configuration. Designating which subinterfaces will be the corporate intranet and which will provide Internet access. This decentralizes Internet access in traditional hub-and-spoke configurations, thus reducing the bandwidth requirements at the hub site. The enterprise is free to run an autonomous routing policy and even add IP Security (IPSec) encryption for enhanced security requirements.

Support of the L2TPv3 feature in Cisco 10720 Internet routers allows service providers to offer Ethernet services to their customers by extending their Ethernet or virtual LAN (VLAN) from one location to the other using the L2TPv3 tunnel.

Figure 6L2TPv3 Operation on Cisco 10720 Internet Routers

In Figure 6, the two routers at the end of the L2TPv3 tunnel are connected via a point-to-point POS link. The functionality supported is Layer 2-to-Layer 2 extension over the L2TPv3 tunnel. Either the entire interface or the VLAN subinterface can be mapped to a L2TPv3 tunnel to extend Ethernet over the IP network. This mechanism allows service providers to offer Ethernet services over a wide area.

When L2TPv3 is used to connect customers across the IP backbone, the physical interface connecting to the customer's network becomes the tunnel ingress/egress interface. The interfaces on the Cisco 10720 Internet routers that can be used as an ingress or egress can be either Ethernet or 802.1Q-encapsulated subinterfaces.

The Internet service provider routers communicate normally using the IP routing protocols configured across the IP core network. The customer routers (CE routers) communicate across the configured L2TPv3 tunnels. Any data packet that is received by the Cisco 10720 Internet Router is encapsulated with a L2TPv3 header and sent via L2TPv3 tunnel, either L2TPv3 Tunnel 1 or L2TPv3 Tunnel 2. Data packets arriving from customer sites can travel over the main Ethernet interface. In this scenario, packets are encapsulated with the L2TPv3 header and sent to the other site.

If customer data packets are coming in over an 802.1Q-encapsulated interface, packets will still be encapsulated with an L2TPv3 header and sent to the other Cisco 10720 Internet Router. On the receiving end, the Cisco 10720 Internet Router decapsulates the L2TPv3 header and forwards the encapsulated 802.1Q traffic to the other customer CE router.

Figure 7 shows the operation of LAN-to-LAN connectivity using an L2TPv3 tunnel. Incoming packets from LAN1 home in on the Ethernet interface of the Cisco 10720 Internet Router No. 1. Data packets from the customer are encapsulated with an L2TPv3 header and sent across the IP core backbone using IP routing to the egress Ethernet interface of Cisco 10720 Internet Router No. 2.

Figure 7Ethernet over L2TPv3

The Cisco 10720 Internet Router on the receiving side decapsulates the data packets and forwards the traffic to LAN2. A similar operation occurs if traffic originates from LAN2. LAN1 and LAN2 become connected across the IP backbone network, and the Cisco 10720 Internet Router relays the Layer 2 data packets without the need to get involved with the customer in any routing or knowledge of the customer IP addresses. Both customer sites appear as if they are connected to the same wire. This can be extended to multiple sites if needed. The main difference in this case is that on the customer sites there are no Layer 3 routers, so L2TPv3 extends Layer 2 connectivity across the IP-enabled core for the service provider.

The VLAN ID Rewrite feature applies to L2TPv3 tunnels that are attached to 802.1Q VLAN interfaces on a Cisco 10720 Internet Router. The egress side of an L2TPv3 tunnel that is mapped to a VLAN rewrites the VLAN ID in outgoing 802.1Q packets to the ID of the local VLAN.

This feature allows you to use VLAN interfaces with different VLAN IDs at both ends of an L2TPv3 tunnel. When you use the VLAN ID Rewrite feature, Cisco recommends using the Spatial Reuse Protocol (SRP) as the backbone interface on the Cisco 10720 Internet Router.

In Figure 8, traffic from the customer network on Site 1 is sent to an ingress interface on the provider network edge router. When the interface is configured for L2TPv3 tunneling, all arriving packets are forwarded to the tunnel card. The tunnel card encapsulates the packet with an encapsulation header containing the IP and L2TPv3 header information. The encapsulated packet is then sent to the appropriate egress card, which sends the packet to the IP network as a normal IP packet.

When an encapsulated L2TPv3 packet arrives at the tunnel card, the packet is checked for a valid session ID and a matching L2TPv3 key. If any of the two are not correct, the packet is silently dropped. (The user is not notified.) If the session ID and L2TPv3 key are correct, the tunnel card decapsulates the packet (by removing the IP+L2TPv3 header) and sends the packet to the egress card. The egress card then sends the packet to the customer network. It does not add a new Layer 2 header. (The Layer 2 header is carried from the origin of the tunnel.)

Note If the tunnel card receives non-L2TPv3 packets (other IP/Internet Control Message Protocol [ICMP] packets such as a ping "loopback address"), the packets are sent to the line card CPU and to the route processor.

The maximum number of L2TPv3 tunnels that can be configured is limited to 1022 tunnels.

The Maximum Transmission Unit (MTU) on the customer's interface must be set so that no fragmentation is required throughout the tunnel path. This is necessary because L2TPv3 tunnels do not support fragmentation. (A solution is being developed.)

The MTU in the IP backbone must be x bytes larger than the MTU that operates on the pseudo-wire. The value for x is: